SNPEGO/Kerberos authentication is configured by adding a "HadoopAuth"
authentication provider to the cluster's topology file. When enabled, the Knox
Gateway uses Kerberos/SPNEGO to authenticate users to Knox.

About This Task

The HadoopAuth authentication provider for Knox integrates the use of the
Apache Hadoop module for SPNEGO and delegation token-based authentication. This
introduces the same authentication pattern used across much of the Hadoop
ecosystem to Apache Knox and allows clients to using the strong authentication
and SSO capabilities of Kerberos.

Steps

To enable SNPEGO authentication:

Open the cluster topology descriptor file,
$cluster-name.xml, in a text editor.

Add the HadoopAuth authentication provider to
/topology/gateway as follows:

If specified, all other configuration parameter names
must start with the prefix.

none

signature.secret

This is the secret used to sign the delegation token
in the hadoop.auth cookie. This same secret needs to be
used across all instances of the Knox gateway in a given
cluster. Otherwise, the delegation token will fail
validation and authentication will be repeated each
request.

a simple random number

type

This parameter needs to be set to kerberos.

none, would throw exception

simple.anonymous.allowed

This should always be false for a secure
deployment.

true

token.validity

The validity -in seconds- of the generated
authentication token. This is also used for the rollover
interval when signer.secret.provider is set to random or
zookeeper.

36000 seconds

cookie.domain

domain to use for the HTTP cookie that stores the
authentication token

null

cookie.path

path to use for the HTTP cookie that stores the
authentication token

null

kerberos.principal

The web-application Kerberos principal name. The
Kerberos principal name must start with HTTP/…. For
example: HTTP/localhost@LOCALHOST

null

kerberos.keytab

The path to the keytab file containing the
credentials for the kerberos principal. For example:
/Users/lmccay/lmccay.keytab

null

kerberos.name.rules

The name of the ruleset for extracting the username
from the kerberos principal.

DEFAULT

Save the file.

The gateway creates a new WAR file with modified timestamp in
$gateway/data/deployments.

REST Invocation

Once a user logs in with kinit, their Kerberos session may be used across
client requests with things such as curl. The following curl command can be used
to request a directory listing from HDFS while authenticating with SPNEGO via
the –negotiate
flag: